466_HTC_Linux_FM.qxd 10/2/07 10:05 AM Page iii How to Cheat at Securing Linux Mohan Krishnamurthy Eric S Seagren Raven Alder Aaron W Bayles Josh Burke Skip Carter Eli Faskha 466_HTC_Linux_FM.qxd 10/2/07 10:05 AM Page iv Elsevier, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) not guarantee or warrant the results to be obtained from the Work There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents Because some states not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files Syngress Media®, Syngress®, “Career Advancement Through Skill Enhancement®,” “Ask the Author UPDATE®,” and “Hack Proofing®,” are registered trademarks of Elsevier, Inc “Syngress:The Definition of a Serious Security Library”™, “Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Elsevier, Inc Brands and product names mentioned in this book are trademarks or service marks of their respective companies PUBLISHED BY Syngress Publishing, Inc Elsevier, Inc 30 Corporate Drive Burlington, MA 01803 How to Cheat at Securing Linux Copyright © 2008 by Elsevier, Inc All rights reserved Printed in the United States of America Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication Printed in the United States of America ISBN-13: 978-1-59749-207-2 Publisher: Amorette Pedersen Acquisitions Editor: Andrew Williams Page Layout and Art: Patricia Lupien Cover Designer: Michael Kavish Indexer: Michael Ferreira For information on rights, translations, and bulk sales, contact Matt Pedersen, Commercial Sales Director and Rights, at Syngress Publishing; email m.pedersen@elsevier.com 466_HTC_Linux_FM.qxd 10/2/07 10:05 AM Page v Contributing Authors Mohan Krishnamurthy Madwachar (OPSA, OPST) is the GM – Network Security, Almoayed Group, Bahrain Mohan is a key contributor to their projects division and plays an important role in the organization’s Network Security initiatives Mohan comes from a strong networking, security and training background His tenure with companies, such as Schlumberger Omnes and Secure Network Solutions India adds to his experience and expertise in implementing large and complex network and security projects Mohan holds leading IT industry standard and vendor certifications in systems, networking and security He is a member of the IEEE and PMI Mohan would like to dedicate his contributions to this book to his brother Anand, his wife Preethi Anand and their sweet daughter Janani Mohan has co-authored two books Designing & Building Enterprise DMZs (ISBN: 1597491004) and Configuring Juniper Networks NetScreen & SSG Firewalls (ISBN: 1597491187) published by Syngress He also writes in newspaper columns on various subjects and has contributed to leading content companies as a technical writer and a subject matter expert Eric S Seagren (CISA, CISSP-ISSAP, SCNP, CCNA, CNE-4, MCP+I, MCSE-NT) has 10 years of experience in the computer industry, with the last eight years spent in the financial services industry working for a Fortune 100 company Eric started his computer career working on Novell servers and performing general network troubleshooting for a small Houston-based company Since he has been working in the financial services industry, his position and responsibilities have advanced steadily His duties have included server administration, disaster recovery responsibilities, business continuity coordinator,Y2K remediation, network vulnerability assessment, and risk management responsibilities He has spent the last few years as an IT architect and risk analyst, designing and evaluating secure, scalable, and redundant networks v 466_HTC_Linux_FM.qxd 10/2/07 10:05 AM Page vi Eric has worked on several books as a contributing author or technical editor.These include Hardening Network Security (McGraw-Hill), Hardening Network Infrastructure (McGraw-Hill), Hacking Exposed: Cisco Networks (McGraw-Hill), Configuring Check Point NGX VPN-1/FireWall-1 (Syngress), Firewall Fundamentals (Cisco Press), and Designing and Building Enterprise DMZs (Syngress) He has also received a CTM from Toastmasters of America Aaron W Bayles is a senior security consultant with Sentigy, Inc of Houston,TX He provides service to Sentigy’s clients with penetration testing, vulnerability assessment, and risk assessments for enterprise networks He has over years experience with INFOSEC, with specific experience in wireless security, penetration testing, and incident response Aaron’s background includes work as a senior security engineer with SAIC in Virginia and Texas He is also the lead author of the Syngress book, InfoSec Career Hacking, Sell your Skillz, Not Your Soul Aaron has provided INFOSEC support and penetration testing for multiple agencies in the U.S Department of the Treasury, such as the Financial Management Service and Securities and Exchange Commission, and the Department of Homeland Security, such as U S Customs and Border Protection He holds a Bachelor’s of Science degree in Computer Science with post-graduate work in Embedded Linux Programming from Sam Houston State University and is also a CISSP Raven Alder is a Senior Security Engineer for IOActive, a consulting firm specializing in network security design and implementation She specializes in scalable enterprise-level security, with an emphasis on defense in depth She designs large-scale firewall and IDS systems, and then performs vulnerability assessments and penetration tests to make sure they are performing optimally In her copious spare time, she teaches network security for LinuxChix.org and checks cryptographic vulnerabilities for the Open Source Vulnerability Database Raven lives in Seattle, WA Raven was a contributor to Nessus Network Auditing (Syngress Publishing, ISBN: 1931836-08-6) vi 466_HTC_Linux_FM.qxd 10/2/07 10:05 AM Page vii Dr Everett F (Skip) Carter, Jr is President of Taygeta Network Security Services (a division of Taygeta Scientific Inc.).Taygeta Scientific Inc provides contract and consulting services in the areas of scientific computing, smart instrumentation, and specialized data analysis.Taygeta Network Security Services provides security services for real-time firewall and IDS management and monitoring, passive network traffic analysis audits, external security reviews, forensics, and incident investigation Skip holds a Ph.D and an M.S in Applied Physics from Harvard University In addition he holds two Bachelor of Science degrees (Physics and Geophysics) from the Massachusetts Institute of Technology Skip is a member of the American Society for Industrial Security (ASIS) He was contributing author of Syngress Publishing’s book, Hack Proofing XML (ISBN: 1-931836-50-7) He has authored several articles for Dr Dobbs Journal and Computer Language as well as numerous scientific papers and is a former columnist for Forth Dimensions magazine Skip resides in Monterey, CA, with his wife,Trace, and his son, Rhett Josh Burke (CISSP) is an independent information security consultant in Seattle, Washington He has held positions in networking, systems, and security over the past seven years in the technology, financial, and media sectors A graduate of the business school at the University of Washington, Josh concentrates on balancing technical and business needs for companies in the many areas of information security He also promotes an inclusive, positive security philosophy for companies, which encourages communicating the merits and reasons for security policies, rather than educating only on what the policies forbid Josh is an expert in open-source security applications such as Snort, Ethereal, and Nessus His research interests include improving the security and resilience of the Domain Name System (DNS) and the Network Time Protocol (NTP) He also enjoys reading about the mathematics and history of cryptography, but afterward often knows less about the subject than when he started vii 466_HTC_Linux_FM.qxd 10/2/07 10:05 AM Page viii Eli Faskha (Security+, Check Point Certified Master Architect, CCSI, CCSE, CCSE+, MCP) Based in Panama City, Panama, Eli is Founder and President of Soluciones Seguras, a company that specializes in network security and is a Check Point Gold Partner and Nokia Authorized Partner He was Assistant Technical Editor for Syngress’ Configuring Check Point NGX VPN-1/Firewall-1 (ISBN: 1597490318) book and Contributing Author for Syngress’ Building DMZs for the Enterprise (ISBN: 1597491004) Eli is the most experienced Check Point Certified Security Instructor and Nokia Instructor in the region, and has taught participants from over twenty different countries, in both English and Spanish A 1993 graduate of the University of Pennsylvania’s Wharton School and Moore School of Engineering, he also received an MBA from Georgetown University in 1995 He has more than years of Internet development and networking experience, starting with web development of the largest Internet portal in Panama in 1999 and 2000, managing a Verisign affiliate in 2001, and running his own company since then Eli has written several articles for the local media and has been recognized for his contributions to Internet development in Panama viii 466_HTC_Linux_TOC.qxd 10/2/07 10:12 AM Page ix Contents Chapter Presenting the Business Case for Open Source Software Introduction The Costs of Using Free Security Solutions Training Costs Hardware Costs Consulting Costs Hidden Costs The Savings of Using Free Security Solutions Purchase Costs Maintenance Costs Customization Costs Comparing Free Solutions with Commercial Solutions Strengths of Free Solutions Weaknesses of Free Solutions Evaluating Individual Solutions 10 “Selling” a Free Solution 13 Selling by Doing 13 Presenting a Proposal 14 Summary 15 Solutions Fast Track 15 Frequently Asked Questions 16 Chapter Hardening the Operating System 17 Introduction 18 Updating the Operating System 18 Red Hat Linux Errata and Update Service Packages 18 Handling Maintenance Issues 19 Red Hat Linux Errata: Fixes and Advisories 20 Bug Fix Case Study 23 Manually Disabling Unnecessary Services and Ports 25 Services to Disable 26 The xinetd.conf File 26 Locking Down Ports 28 Well-Known and Registered Ports 28 Determining Ports to Block 30 Blocking Ports 30 Stand-Alone Services 31 ix 466_HTC_Linux_TOC.qxd x 10/2/07 10:12 AM Page x Contents Hardening the System with Bastille 32 Bastille Functions 33 Bastille Versions 35 Implementing Bastille 35 Undoing Bastille Changes 41 Controlling and Auditing Root Access with Sudo 42 System Requirements 44 The Sudo Command 44 Installing Sudo 45 Configuring Sudo 47 Running Sudo 50 No Password 52 Sudo Logging 53 Managing Your Log Files 56 Using Logging Enhancers 57 SWATCH 57 Scanlogd 59 Syslogd-ng 61 Security Enhanced Linux 63 Securing Novell SUSE Linux 68 Firewall Configuration 72 Novell AppArmor 74 Host Intrusion Prevention System 77 Linux Benchmark Tools 79 Summary 84 Solutions Fast Track 85 Frequently Asked Questions 89 Chapter Enumeration and Scanning Your Network 91 Introduction 92 Scanning 92 Enumeration 92 How Scanning Works 94 Port Scanning 94 Going Behind the Scenes with Enumeration 96 Service Identification 96 RPC Enumeration 97 Fingerprinting 97 Open Source Tools 98 Scanning 98 Fyodor’s nmap 98 netenum: Ping Sweep 103 466_HTC_Linux_TOC.qxd 10/2/07 10:12 AM Page xi Contents unicornscan: Port Scan 103 scanrand: Port Scan 104 Enumeration 106 nmap: Banner Grabbing 106 Windows Enumeration: smbgetserverinfo/smbdumpusers 112 Summary 116 Frequently Asked Questions 119 Chapter Introducing Intrusion Detection and Snort 121 Introduction 122 How an IDS Works 123 What Will an IDS Do for Me? 124 What Won’t an IDS Do for Me? 125 Where Snort Fits 126 Snort System Requirements 127 Hardware 127 Operating System 128 Other Software 128 Exploring Snort’s Features 129 Packet Sniffer 130 Preprocessor 131 Detection Engine 132 Alerting/Logging Component 133 Using Snort on Your Network 136 Snort’s Uses 138 Using Snort as a Packet Sniffer and Logger 138 Using Snort as an NIDS 143 Snort and Your Network Architecture 143 Snort and Switched Networks 147 Pitfalls When Running Snort 149 False Alerts 150 Upgrading Snort 150 Security Considerations with Snort 151 Snort Is Susceptible to Attacks 151 Securing Your Snort System 152 Summary 154 Solutions Fast Track 154 Frequently Asked Questions 156 Chapter Installing and Configuring Snort and Add-Ons 157 Placing Your NIDS 158 Configuring Snort on Linux 160 xi 466_HTC_Linux_11.qxd 9/18/07 5:04 PM Page 401 Apache Web Server Hardening • Chapter 11 consider using is a module called mod_apache_snmp, available at http://mod-apachesnmp.sourceforge.net/.The module can provide real-time monitoring of various metrics including, but not limited to: ■ Load average ■ Server uptime ■ Number of errors ■ Number of bytes and requests served You might consider other commercial SNMP-based solutions, especially for enterprisescale deployments.These tools help expedite monitoring deployment and usually include enhanced functionality to automatically alert you when important thresholds, such as Web site concurrent connections, are crossed 401 466_HTC_Linux_11.qxd 9/18/07 5:04 PM Page 402 466_HTC_Linux_Index.qxd 10/2/07 10:14 AM Page 403 Index A Access control, 265 ACID, 134–135, 174 Active attack, 208 Active monitoring, 136–137 Address resolution protocol, 230 Advanced Encryption Standard, 253–254 Alerting component, of Snort, 133–136 Algorithms Advanced Encryption Standard, 253–254 asymmetric encryption, 255–258 cryptographic, 255–256 Data Encryption Standard, 252–253, 270 definition of, 250 description of, 250–251 Diffie–Hellman, 256–257, 264 digital signature, 257 El Gamal, 257 hashing, 258–260 International Data Encryption Algorithm, 254 Lucifer, 252 Rijndael, 253–254 Rivest, Shamir, & Adleman, 258 strength of, 254–255 summary of, 267 symmetric encryption, 251–255 Triple Data Encryption Standard, 252–253 vulnerabilities of, 269 amap, 111–112, 118 Analyzer, 211 Anomaly detection, 123 Apache Web server access control directives, 396 authentication directives, 397–398 compiling of, 389 default files, 399–400 denial-of-service directives, 395–396 description of, 35 directory functionality directives, 398 hardening of, 386–400 httpd.conf file, 392–394 installing of, 389 logging directives, 398–399 mod_security, 391–392 modules, 390 Nobody account, 387 operating system preparation of, 387 vulnerabilities of, 385–386 performance directives, 395–396 secure operation monitoring of, 400–401 security flaws in, 384–385 server software obfuscation directives, 396 software, 388–392 SSL enabled for, 390 unneeded files, 399–400 unsecured web-based code, 384 update ownership/permissions, 400 user directives, 394–395 version of, 396 vulnerabilities of, 384–385 AppArmor, 74–77, 85 Application gateways, 273 Application intrusion detection systems, 123 403 466_HTC_Linux_Index.qxd 404 10/2/07 10:14 AM Page 404 Index Application layer, of Open Systems Interconnection model, 221–223 Asymmetric cryptography, 265 Asymmetric encryption algorithms, 255–258 Atheros, 232 Attack signatures definition of, 123 detection of, 123 Attacks brute-force, 251–252, 256 man-in-the-middle, 262–264 on Snort, 151–152 SYN, 360 Audit daemon, 366–367 Auditing, 366–370 Authentication Apache Web server methods of, 397–398 description of, 261, 265, 269 Authorized Use banners, 34 Automatic time synchronization, 353–355 B Banner grabbing, 106–107 Barnyard, 174–175 BASE, 135 Basic Analysis and Security Engine, 165–172 Bastille configuration file for, 36 description of, 32–33, 361 download site for, 35 functions of, 33–35 graphical user interface, 37–38, 361 implementing of, 35–41 installation issues, 89 logging your configurations in, 36–37 questions, 39–40 summary of, 84 undoing changes, 41–42 versions of, 35 Bastion host auditing access to resources, 366–370 checklist for, 379 configurations, 373–378 controlling access to resources, 362–366 description of, 342 DNS server, 377–378 FTP server, 374–376 graphical user interfaces, 372–373 hardening scripts, 361–362 logs, 368–370 maintenance and support of, 379 patching of, 355 remote administration of, 370–373 set user ID programs, 357 SMTP relay server, 376–377 summary of, 380 system installation, 342–346 updates, 355–357 Web server, 373–374 Benchmark tools, 79–83 Berkeley Packet Filter, 142–143 Block ciphers, 250, 256 Blocking of ports, 30–32 Bootable compact disk, 233 Broadcast domain, 226 Broadcast protocol, 212 Broadcom, 232 Brute-force attacks, 251–252, 256 Bug fixes for, 20, 23–25 notification of, 21 Burned-in address, 216 466_HTC_Linux_Index.qxd 10/2/07 10:14 AM Page 405 Index C Cable taps, 226, 231 CD-ROM installation, 280–281 Center for Internet Security, 79–83, 85 Channel bonding, 183–184 Checkpoint firewall, 278–279 Chipsets, 231 chkconfig, 348 Ciphers block, 250, 256 stream, 250, 255, 269 Vernam, 265–266 Ciphertext, 250 Cisco Security Agent, 78 clt.up file, 329 Collision domains definition of, 226 hub, 226–227 switch, 228 Commercial solutions, 7–9 CommView for WiFi, 232 Computer-based encryption, 251 Confidentiality, 261, 267, 269 Confusion operations, 253 Connectionless protocol, 218 Connection-oriented protocol, 218 Consultants, 3–4 Consulting costs, 3–4 Content scrambling system, 270 Costs customization, heating, ventilation, and air conditioning, maintenance, power consumption, purchase, training, 2–3 Cryptanalysis, 262 Cryptographic algorithms, 255–256 Cryptography access control, 265 asymmetric, 265 confidentiality goals, 261, 267, 269 definition of, 250, 260 encryption See Encryption history of, 260–261 integrity goals, 262–264, 269 non-repudiation, 265 one-time pad, 265–266, 269–270 principles of, 262 symmetric, 265 Cryptosystems, 262 CSMA/CD, 223–224 CTRL-ALT-DELETE rebooting, 33 Customization, 6–7 D Daemons, 347 Data Encryption Standard, 252–253, 270 Database plug-ins, 196 Debian Linux, 385 Decryption, 250 Demarc, 135 Demilitarized zone description of, 7, 89 firewalled network with, 146–147 functions of, 145 one-legged, 276–277 true, 277–278 virtual private network concentrator inside of, 327 Denial-of-service attack, 225 Denial-of-service directives, 395–396 Detection plug-ins, 195–196, 202 Diffie–Hellman algorithm, 256–257, 264 Diffusion operations, 253 Digital fingerprints, 259 Digital signature algorithm, 257 405 466_HTC_Linux_Index.qxd 406 10/2/07 10:14 AM Page 406 Index Digital signatures, 263 Disabling of services, 26–28 Discrete logarithms, 257 Distributed intrusion detection systems, 123–124 Distributions, 343 dmesg, 368 DNS, 92, 233–234, 324 DNS server, 377–378 Dsniff, 211 Dynamic host configuration protocol, 306 E Easy Firewall Generator, 307 Edge firewall, 275 El Gamal algorithm, 257 Encrypted passwords, 259–260 Encryption computer-based, 251 definition of, 250–251, 261 opportunistic, 246 public key, 152, 258, 263 virtual private network, 239 Encryption algorithms asymmetric, 255–258 symmetric, 251–255 Enterasys Dragon Host Sensors, 78 Enumeration amap, 111–112, 118 definition of, 92 example of, 92–93 fingerprinting, 92, 97–98, 100–101 httprint, 109–110, 117 IKE-scan, 110–111, 117 nmap: Banner Grabbing, 106–107 remote procedure call, 97 service identification, 96–97 smbclient, 115–116, 118 Windows, 112–116 Xprobe2, 108–109, 117 xSMBrowser, 114–115, 118 Ethernet, 212–213 EtherPeek, 211 Ettercap, 211 F Feistel cycles, 252 File(s) clt.up, 329 httpd.conf, 392–394 srvr.up, 329 Sudoers, 47, 50 syslog.conf, 54 xinetd.conf, 26–27 File transfer protocol description of, 220 disabling of, 27–28 Fingerprinting, 92, 97–98, 100–101 Finisar Tap family, 226 Firestarter, 301–307 Firewall(s) application gateways, 273 architectures, 274–278 CD-ROM installation, 280–281 checkpoint, 278–279 description of, 272 edge, 275 full install, 280 hardware, 278–279 implementation of, 278–325 intrusion detection system similarity to, 122 netfilter See netfilter packet-filtering, 272–273 screened subnet, 274–275 Smoothwall, 316–325 with Snort, 145–147, 176, 202 software, 278–279 466_HTC_Linux_Index.qxd 10/2/07 10:14 AM Page 407 Index stateful inspection, 273 summary of, 338–339 for SUSE Linux, 72–74 traffic to and from, 289–291 USB installation, 281 Windows, 291 Firewall appliance, 278 Firewall Builder, 307–316 Flow, 189 Forensics, 198 Frag3, 189 Free security solutions commercial solutions vs., 7–9 consulting costs of, costs of using, 2–5 customization costs, evaluation steps for, 10–12, 16 “freeness” of, 16 hardware costs of, hidden costs of, 4–5 lack of support for, 8–9 maintenance costs, management capabilities of, proposal for using, 14 reporting capabilities of, savings associated with, 5–6 selling of, 13–14 strengths of, 7–8 testing of, 11 training costs of, 2–3 weaknesses of, 8–9 FreeBSD, 385 FTP server, 374–376 G Gateway intrusion detection systems, 122–123 gnmap, 99 Grabbing, 92 Graphical user interfaces Bastille, 37–38 Firestarter, 301–307 Lokkit, 300–301 NTP, 354 remote, 372–373 Snort, 165–170 H Haldaemon, 351 Handshaking, 226 Hardening scripts, 361–362 Hardware costs, Hardware firewalls, 278–279 Hashing, 258 Hashing algorithms, 258–260 Heating, ventilation, and air conditioning costs, Heuristics, 123 Home network router, 291–294 HoneyNet project, 242 Host intrusion prevention systems, 77–79, 85 Host-based intrusion detection systems, 122 Hosts, 215 HTTP, 236–237, 273 httpd.conf file, 392–394 httprint, 109–110, 117 Hubs, 159, 226 I IBM Internet Security Systems, 78 ICMP Redirect, 230 IKE-scan, 110–111, 117 Implementation, Incident handling, 198–199 Incident.pl, 135 Inefficiency-related costs, 4–5 407 466_HTC_Linux_Index.qxd 408 10/2/07 10:14 AM Page 408 Index Internal policy violators, 197 International Data Encryption Algorithm, 254 Internet control message protocol, 126 Intrusion detection systems application, 123 characteristics of, 122–123 data generated by, 125 definition of, 122 design of, 122 distributed, 123–124 firewalls and, 122, 176 gateway, 122–123 hacking of, 158 host system, 158 host-based, 122 known-good or known-bad policy used by, 124 limitations of, 125–126 mechanism of action, 123–126 network-based, 122, 158–160 placement of, 158–160 signature detection, 123, 137 sniffer as, 247 Snort See Snort strengths of, 124–125 summary of, 177 Intrusion prevention system, 196 IP, 224–225 IP address watchlists, 198 IPChains, 382 IPSec, 110, 240, 327 IpTables configuring of, 363–365 description of, 290, 382 J Jabber, 206 Jitter, 206 K KeepAlive, 395 KeepAliveTimeout, 395 Kernel, 356–357 Kernel auditing, 366 Kernel patches, 355 Key exchanges, 264 Key management, 255 Keystream, 255–256 Kismet, 232 L Lack of support, 8–9 Linux automatic time synchronization, 353–355 bastion host See Bastion host CD-ROM installation, 280–281, 344–345, 382 disk partitions, 343 distribution media, 344–346 floppy disk installation, 281–282, 345 full install, 280, 344 installation of, 342–346 minimizing services, 341, 347–349 optional software, 349–352 patching of, 386 removal of optional components, 346–353 security-enhanced, 63–67, 85, 357–359 USB drive installation, 281, 345 version of, 343 window manager, 352–353 Log files, 56–57 Logging Apache Web server, 398–399 Snort, 133–136, 138–143 Sudo, 53–56 Logging enhancers 466_HTC_Linux_Index.qxd 10/2/07 10:14 AM Page 409 Index definition of, 57, 84 Scanlogd, 59–61, 85 SWATCH, 57–59, 85 Syslogd-ng, 61–62, 85 Loghog, 135 Logical address, 217–218 Logwatch, 368–370 Lokkit, 300–301 Lucifer algorithm, 252 M MacSniffer, 212 Maintenance Bastion host, 379 costs of, handling of, 19–25 Mandrake Linux, 33 Man-in-the-middle attacks, 262–264 Materials, 2–3 MaxClients, 395 MaxSpareServers, 395 Media access control address description of, 212, 227 spoofing, 230–231 Media access control sublayer, of Open Systems Interconnection model, 216–217 Message Digest 4/Message Digest 5, 260 MinSpareServers, 395 mod_security, 391–392 modsecurity.conf file, 393–394 N nbtscan, 118 Nessus, 119 Net Optics, 226 NetBSD, 385 Netenum, 103, 117 Netfilter CD-ROM installation, 280–281 commands, 294–296 configuring of, 279–298 description of, 279 examples of, 287–298 Filter table, 283 full install, 280 graphical user interfaces description of, 298 Easy Firewall Generator, 307 Firestarter, 301–307 Firewall Builder, 307–316 Lokkit, 300–301 security level configuration for, 298–299 installation media, 279–298 Mangle table, 283 Nat table, 283 operation, 282–287 options summary, 296–298 packet flow, 284 Raw table, 283 rules and chains, 288–289 tables and chains, 282 TCP Wrappers vs., 382 traffic to and from the firewall, 289–291 USB installation, 281 Netstumbler, 232 Network monitoring of, 182–183 Snort on, 136–138 virtual private See Virtual private network wireless, 231–233 Network address translation, 5, 33, 292–293 Network analysis definition of, 204 description of, 241 summary of, 243 409 466_HTC_Linux_Index.qxd 410 10/2/07 10:14 AM Page 410 Index uses of, 207 Network analyzers description of, 204–206 list of, 210–212 Network General Sniffer, 210 Network interface card description of, 127 Ethernet, 216 in promiscuous mode, 212 Network policy, 241 Network-based intrusion detection systems description of, 122 placement of, 158–160 Snort as, 143 NFS, 35 nGenius, 12 nmap banner grabbing, 106–107 ICMP options, 99 options for, 95–96 OS fingerprinting, 100–101 output options, 99–100 Ping Sweep, 98–99 scripting, 102 speed options, 102–103 stealth scanning, 100 summary of, 116–117 Nodes, 215 NOPASSWD tag, 52–53, 90 Novell AppArmor, 74–77, 85 Novell SUSE Linux description of, 85 firewall configuration, 72–74 logs, 71 patching of, 385 securing of, 68–74 NTP, 235–236 NX technology, 332–337, 340 O Oinkmaster, 135, 173–174 One-legged demilitarized zone, 276–277 One-time pad, 265–266, 269–270 One-time passwords, 240 One-way functions, 259 One-way hashes, 258–259 Open Systems Interconnection model Application layer of, 221–223 Data Link layer of, 215–217 description of, 213–215 LLC sublayer of, 217 Media Access Control sublayer of, 216–217 Network layer of, 217–218 Physical layer of, 215 Presentation layer of, 221 schematic diagram of, 214 Session layer of, 220–221 Transport layer of, 218–220 OpenBSD, 385 OpenVPN, 240 Operating systems See also specific operating system patching of, 385–386 secure, 386 updating of, 18–19 Opportunistic encryption, 246 Orinoco, 232 OS fingerprinting passive, 107–108, 117 scanning, 100–101 Xprobe2, 108–109, 117 Output plug-ins, 196, 202 P Package enhancements, 20 Packet sniffer, 130–131 466_HTC_Linux_Index.qxd 10/2/07 10:14 AM Page 411 Index Packet sniffing, using Snort, 138–143 Packet-filtering firewall, 272–273 Packets, 212 Packetyzer, 211 Passive attack, 208 Passive monitoring, 136 Passive network tap, 182–183 Passive OS fingerprinting, 107–108, 117 Passwords, encrypted, 259–260 Patching of bastion host, 355 of Linux system, 386 of operating systems, 385–386 of Unix systems, 386 Penetration testing, 119 Ping Sweep, 98–99, 103 Pirut, 351 Plaintext, 250 Plug-ins, for Snort database, 196 definition of, 188 description of, 131, 156 detection, 195–196, 202 dynamic, 188 output, 196, 202 preprocessor, 188–195 Port(s) adding of, 31 blocking of, 30–32 commonly used, 219–220 locking down, 28–32 numbers of, 29 switched port analyzer, 147 Port mirroring, 228–229 Port network address translation, 293 Port scanning description of, 94–96 scanrand, 104–106, 117 unicornscan, 103–104, 117 Port spanning, 228 Portscan, 189 Power consumption, Preprocessors description of, 131–132 plug-ins, 188–195, 202 Presentation layer, of Open Systems Interconnection model, 221 Pretty Good Privacy, 254 Prism2, 232 Private key, 257 PRTG Traffic Grapher, 175 Public key, 255, 257 Public key cryptography, 255 Public key encryption, 152, 258, 263 Public key infrastructure, 251 Pup, 351 Purchase costs, R Razorback, 135 Read-only memory, 233 Rebooting, 33 Red Hat Enterprise Linux, 346 RedHat Linux benchmark tools, 80–81 description of, 33 errata, 18 patching of, 385 Remote access description of, 325 virtual private network, 326–337 Remote Admin Trojan, 209 Remote desktop functionality, 325 Remote logging, 35 Remote procedure call enumeration, 97 Reporting, Request for Comments 1700, 28 Rijndael algorithm, 253–254 Rivest, Shamir, & Adleman algorithm, 258 411 466_HTC_Linux_Index.qxd 412 10/2/07 10:14 AM Page 412 Index Rlogin service, 28 Rootkits, 208–209 Routable protocol stacks, 217 Routing, 218 Rpm, 351 r-protocols, 33 Rulesets, 132, 184–188 S Samba, 35 Scanlogd, 59–61, 85 Scanning description of, 92, 94 Fyodor’s nmap see nmap netenum, 103, 117 port, 94–96 speed of, 102–103 unicornscan, 103–104, 117 scanrand, 104–106, 117 Screened subnet firewall, 274–275 Secret-key encryption, 251 Secure checksums, 259 Secure hash algorithm, 260 Secure shell, 371–372 Secure sockets layer, 240 Security advisories, 20 Security patches, 89 Security-enhanced Linux, 63–67, 85, 357–359 Sequence identification, 226 Server Apache Web See Apache Web server DNS, 377–378 FTP, 374–376 hardening of, 25 SMTP relay, 376–377 Server licenses, 12 Service identification, 96–97 Services description of, 347–348 disabling of, 26–28 Rlogin, 28 stand-alone, 31–32 Telnet, 27–28 xinetd.conf, 26–27 Session key, 257 Session layer, of Open Systems Interconnection model, 220–221 Set user ID programs, 357 Sguil, 175 Shared-secret encryption, 251 Signature-based intrusion detection systems description of, 123, 137 Snort See Snort Signatures community, 126 digital, 263 smbclient, 115–116, 118 smbdumpusers, 112, 114, 118 smbgetserverinfo, 112–113, 118 smb-nat, 118 Smoothwall, 316–325 SMTP, 30, 238–239 SMTP relay server, 376–377 SneakyMan, 135 Sniffed data, 209–210 Sniffer “Appropriate Use” policy, 241 creation of, 222–223 definition of, 204 intruder use of, 207–209 on intrusion detection systems, 247 one-time passwords to protect against, 240 packet, 130–131 protecting against, 239–241, 246 security breach, 246 466_HTC_Linux_Index.qxd 10/2/07 10:14 AM Page 413 Index virtual private network traffic viewed using, 247 Sniffing description of, 207–208 legal methods of, 246 mechanisms of, 212–224 packet, 138–143 wireless networks, 231–233 SNMP polling, 400 Snoop, 211 Snort add-ons, 134–135, 172–174 alert modes, 164 alerting/logging component of, 133–136 architecture of, 129–130 attack susceptibility of, 151–152 Basic Analysis and Security Engine, 165–172 binary format of logs, 156 community signatures with, 126 configuring of, 160–172 definition of, 126, 211 description of, detection engine, 132–133 effectiveness of, 175–176 e-mail alerts, 178 false alerts with, 150 features of, 129–136 firewall with, 145–147, 202 forensics, 198 graphical user interface, 165–170 hardware requirements for, 127–128 incident handling, 198–199 inline mode, 196–197 as intrusion prevention system, 196 logging, 133–136, 138–143 network architecture and, 143–149 network interface card for, 127 network pattern matching behavior, 126 network uses of, 136–138 as network-based intrusion detection systems, 143 on switched networks, 147–149 operating system requirements, 128 options, configuring of, 160–172 packet sniffer, 130–131, 138–143 pitfalls of, 149–151 plug-ins See Plug-ins policy enforcement, 197–198 preprocessor description of, 131–132 plug-ins, 188–195, 202 rulesets, 132, 184–188 security issues with, 151–153, 179, 197–199 sensing interface, 128 sensor, 179 software with, 128–129 in subnets, 143 summary of, 154–155 system requirements for, 127–129 upgrading of, 150–151 uses of, 126 Version 2.6, 188 vulnerabilities of, 152 Snortplot.php, 134 SnortReport, 135 Snortsam, 178 SnortSnarf, 134, 175 Software firewalls, 278–279 Spoofing definition of, 213, 225 media access control address, 230–231 srvr.up file, 329 SSH, 240 SSL VPN, 328–331 Stand-alone services, 31–32 StartServers, 395 Stateful inspection firewall, 273 Stream4, 189 413 466_HTC_Linux_Index.qxd 414 10/2/07 10:14 AM Page 414 Index Stream ciphers, 250, 255, 269 Substitution operations, 253 Sudo Command, 44–45 configuring of, 47–50 definition of, 42 description of, 84, 89–90 download site for, 42 features of, 43 installing of, 45–47 logging, 53–56 NOPASSWD tag, 52–53, 90 parse errors, 47–48 running of, 50–52 system requirements for, 44 Sudoers file, 47, 50 Sun Remote Procedure Call service, 32 Sun Solaris, 385 SUSE Linux description of, 85 firewall configuration, 72–74 logs, 71 patching of, 385 securing of, 68–74 Swap space, 343 SWATCH, 57–59, 85, 368–369 Swatch, 134 Switch defeating of, 229–231 definition of, 159, 227 Switch collision domains, 228 Switch flooding, 229–230 Switch ports, 231 Switched networks schematic diagram of, 148 Snort on, 147–149 Switched port analyzer, 147, 160, 229 Symmetric cryptography, 265 Symmetric encryption algorithms, 251–255 SYN attack, 360 SYN scan, 94 Syslog daemon, 367–368 Syslog.conf file, 54 Syslogd-ng, 61–62, 85 T TCP, 225–226 TCP Wrappers, 33, 152, 362–363, 382 TCPDump, 142, 211 TCP/IP description of, 25 ports used by, 28–30 stack hardening, 359–361 Technical support assessment of, 11 lack of, 8–9 tee, 116, 118 Telnet description of, 238 disabling of, 27–28 Testing, 11 Throttle, 59 Time synchronization, 353–355 Timestamp, 59 Time-to-live, 224 Training costs, 2–3 Transport layer, of Open Systems Interconnection model, 218–220 Transport layer security, 240 Triple Data Encryption Standard, 252–253 True demilitarized zone, 277–278 U UDP packets, 226 UDP ports, 30 Undoing of Bastille changes, 41–42 Undo.pl, 41 466_HTC_Linux_Index.qxd 10/2/07 10:14 AM Page 415 Index unicornscan, 103–104, 117 Unix systems, 386 Update service packages, 18–19 User datagram protocol, 218 V Vernam cipher, 265–266 Virtual private network assessments, 110–111 definition of, 326 description of, encryption and authentication used by, 239 network design considerations, 326 OpenSSL, 328–331 OpenVPN, 240 protocol used with, 327 remote access to, 326–337 sniffer for viewing traffic inside, 247 SSL, 328–331 tunnel, 326 Visudo parse error, 47–48 VLAN, 182–183 VLANACL, 182 VNC, 340 W Web server, 373–374 Window manager, 352–353 Windows enumeration, 112–116 firewalls, 291 patching of, 385 Windows 2000 and 2003 Server Network Monitor, 211 WinDump, 210 Wireless networks, sniffing of, 231–233 Wireshark, 210, 232, 234, 242 X X Windows, 331–337, 382 xinetd.conf, 26–27 xml, 99 Xprobe2, 108–109, 117 xSMBrowser, 114–115, 118 Y Yum, 351 Yum Extender, 351 415 ... systems at affordable rates A large portion of the cost for low-end PC’s is often for the operating system Many retailers offer affordable systems that either include Linux as the operating system,... Linux and netfilter to run a firewall for free Odds are it will cost more to pay for the employee’s time to set up the Linux firewall than the Linksys would cost to buy Firewalls are one of the. .. software is customizable Sometimes the best software in a particular category uses closed code and there is no way for you to perform any customization But one of the greatest strengths of the open-source